This Library Briefing Paper looks at data protection and what might happen after Brexit.Jump to full report >>
The EU data protection framework
The main piece of EU data protection law is the 1995 Data Protection Directive. The Directive was implemented into UK law by the Data Protection Act 1998. The 1998 Act provides the legal framework for data protection in the UK.
A 2008 Council Framework Decision applies to the processing of personal data in police and judicial cooperation in criminal matters. This was transposed into UK law by the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014.
The EU’s Charter of Fundamental Rights and Freedoms is also now central to EU data protection law. Article 8 gives individuals the right to protection of personal data. Courts have, on a number of occasions, used Article 8 to inform their interpretation of EU data protection law.
Since 1995, digital technology has profoundly changed the way data is collected, accessed and used. In January 2012, the European Commission therefore proposed a new legislative framework for data protection. In its now finalised form, this has two elements:
The GDPR will apply in the UK from 25 May 2018.
The PCJ Directive must be transposed into national law by 6 May 2018.
Under the EU’s data protection framework, any country other than the EU and EEA Member States is classed as a “third country”.
Personal data can only be transferred to a third country when an adequate level of protection is guaranteed. One option is for the European Commission to make an “adequacy decision” so that data can flow from EU/EEA Member States to third countries (or one or more specific sectors in those countries). Other options include binding corporate rules and standard contractual clauses.
Data protection after Brexit
On leaving the EU, the UK would become a third country.
The Government has stressed that it wants to maintain the unhindered flow of data between the UK and the EU after Brexit. However, in a July 2017 report, the Lords Select Committee on the European Union said it was “struck by the lack of detail on how the Government plans to deliver this outcome”. The Committee recommended that the Government should seek adequacy decisions as “the least burdensome and most comprehensive platform for sharing data with the EU” after Brexit. It warned of a “cliff-edge” if transitional arrangements did not allow for continuity of data sharing.
Some business leaders have also expressed concern at what will happen after Brexit.
In an August 2017 position paper, the Government said that it “wanted to explore a UK-EU model for exchanging and protecting personal data that could build on the existing adequacy model.”
The Data Protection Bill [HL] 2017-19 would bring the GDPR and PCJ Directive into UK law and, according to the Government, “ensure that the UK is prepared for the future after we have left the EU”.
However, the Government proposes to exclude the Charter of Fundamental Rights from ‘EU retained law’ after Brexit. Instead, underlying rights and principles will be carried forward and will be substitute reference points in pre-Brexit case-law referring to the Charter.
This raises a number of questions for data protection. For instance:
Commons Briefing papers CBP-7838
Authors: John Woodhouse; Arabella Lang